Down the Security Rabbithole, The BlogThis is a collection of my thoughts and ideas, and anything expressed here is unrelated to anything in real life and does not represent opinions of clients, employers or colleagues. If it feels a little bit like stream-of-consciousness, it probably is.

Thursday, January 14, 2010

The Real "Cyber War"

For the love of all things good and pure - stop the madness!

It had to be said. My inbox lately has been filled with vendors' emails, news articles, blog entries and papers on this concept of "cyber war"... but please, people - think this through before you start building the bomb shelter.

I want to take this in two parts. The first half of this post will be looking and analyzing what the current definition of cyber war has come to mean in the mainstream media and even permeating the security luminaries. The second half of this post focuses on what cyber warfare really could be and frank and sane analysis I feel like we're just not getting. Before I get too deep into it I want to make sure I give RSnake credit for starting this seed of thought in my mind with the conversation we had back at SecTor in the fall of last year. He's got some great ideas and I think he's one of those rare people looking at this sanely.

--- Part 1: Analysis

If one is to believe modern media (mainstream press, bloggers, etc) you'd get this image in your mind of a cyber war where two sides square off against each other in battle. Each side, in this case, has an army of uber-geeks and super-hackers ready to devastate the other side's military might and cripple their country. Essentially if you really blow through the smoke and hand-waving panic it boils down to a large-scale DDoS attack concentrated against military networks or some war-related entity.

Now, I read all these types of articles and ask myself ..."Really?"

Let's take the two countries which we know are at obvious public odds in modern day politics - the United States and China. We know that the Chinese have been trying to infiltrate our military networks, our sacred Google, and other institutions which raises the eyebrow. This is all good, and I'm sure much of it is very real - but this is not a cyber war... by any stretch of the imagination. Dropping the search terms "cyber war" into good 'ol reliable Google yields some mind-blowing results that I just have to wonder what the authors were thinking... or even if they were! This one from our kiwi friends down under makes me chuckle - and then slap my forehead because if the source is Reuters then someone needs to have their head examined...

Hackers calling themselves the "Iranian Cyber Army" hit the main webpage of Baidu, China's largest search engine, yesterday morning, covering the page with an Iranian flag and other symbols.

Chinese blogs quickly erupted in calls for retaliation, and Chinese flags and patriotic slogans soon began to appear on websites registered in Iran, Britain's Financial Times reported.

In December the "Iranian Cyber Army" hacked popular microblogging website Twitter, replacing Twitter's home page with the same headline and an anti-American message."

Wow, just wow. You know, before the term cyber war became inflamatory and drove clicks we used to call this hack-tivism, and before that cyber-graffiti. Big deal, a bunch of Iranian computer nerds defaced (maybe even hijacked the domain of) Baidu.com, China's search engine. How is this a declaration of, or an act of, war?! Someone please explain it to me, I'm at a loss.

Even our good friends at El Reg (the Register) got in on the loonacy... They make comments like this one to make people angry, or afraid ... or...

"The South's cyberwar centre can also be seen as a response to a rumored cyberwarfare unit already operating out of North Korea. Rumours have it the unit is staffed by around 100 including graduates from a military academy in Pyongyang. Whatever the truth of thesereports it's probably fair to say that cyber-paranoia is rife on both sides of the 51st parallel."

Again, wow. You mean there is now state-sponsored hacking? Wait, didn't we used to call this espionage? Hasn't this been going on since, well, the dawn of nations? I guess it's cyber war now because the term is cool and makes people take notice... and we do it over computer, right?

If you believe what you're currently reading in the mainstream, you're likely to believe that there are little teams of super-nerds on both sides of the cyber trenches, looking across the cyber battle-field at each other, trying to figure out how to defeat the other in cyberspace. Honestly... really?

Forget this involves computers just for a moment. Is theft of military information by a hostile nation-state an act of war? If it is then we have a much bigger problem on our hands because we've been at war with just about every hostile nation-state/government for ...forever. Yes, it's a clear act of defiant espionage, maybe even an attack - but it's nothing new.

--- Part 2: My Take

First, let me say that I think the idea of a cyber war is very real, but it's not what the media is selling us on. Cyber warfare is just queuing up... and despite what you're hearing in the press it's not going to be one army vs another in a fight for nerd supremacy. It's going to be all-out digital destruction. Let's take this topic sanely. First take a breath and visualize packets streaming across the wires of the Internet ... how do these little packets cause physical, real, and serious damage? Does a DDosS against a military network really cause irreparable and serious damage? Only if that attack causes a loss of life, or other catastrophic event. Has the light bulb gone off yet?

I mention loss of life or catastrophic event because rarely do hacks cause either of those. You'd have to be able to do something like wipe out the nation's power grid, or poison the water supply, or kill millions - in the scenarios we're being fed today in the media none of that is going to happen. To cripple or destroy a nation you have to go after resource that are vital for survival. What are these resources?

If you think about it, there are three things which, if catastrophically affected, can bring down a government or nation. Food, energy, and financial resources are the only things, in my humble analysis, that will cause the collapse of a government or nation today. How does a hostile nation wishing to wage cyber war affect those three things by sending out packets across the wire? That's an altogether different question. Allow me to work through these in order of importance. Keep in mind the aim of war - to force the other side to surrender - in the physical world.

Financial Resources | A nation can be crippled and reduced to nothing in a matter of weeks without financial resources. The ability to conduct commerce, trade currency, work in the global stock markets, and bank are paramount to the health of a nation. If you take this vital ability away you can implode an economy thus inflicting untold pain on the inhabitants. It's fairly easy to see what kinds of things happen when an entire country's economy collapses ... crime goes up, chaos ensues, and order is quickly brought to chaos. Waging a cyber war in which an attack against a nation's financial resources is successful isn't simple. This type of attack requires tremendous effort, tremendous amounts of coordinated effort. Modern networks are resilient to failure, DDoS, and other attack mechanisms... but what if you could just cause enough chaos to throw the US stock market into a tail spin. What would that take, you ask? Silently, and I stress silently, dropping minor glitches into the whole network of inter-connected ordering systems, banks, clearing-houses, and traders will cause chaos in short order. I stress this has to be done silently because once people know it's happening you lose the element of panic and chaos it causes. If you know someone's attacking the NYSE and your responses are down you don't panic as much as if you're trying to make trades and every one is off by just a millisecond, affecting your profit/loss margins by potentially billions. Crippling a nation's financial means is a complex task and takes significant insider knowledge, lots of planning and incredible amounts of resources ... and I will go out on a limb and say having 100 Koreans locked into a basement somewhere exploiting 0-days isn't going to cut it.

Energy | The energy problem is much more difficult to solve, although it can have a much more cataclysmic effect much faster. If someone could trigger catastrophic conditions at nuclear facilities across the country simultaneously it would achieve the goal of killing millions and bringing the country to its knees ... but that's not going to get the US president to sign a surrender of the country. Crippling oil pipelines, energy delivery mechanisms, research and power grids can be used as a mechanism to support an invasion of actual troops - but again... unless you're going to have infantry on our shores you're not going to achieve much beyond devastation and chaos. Can it be done? Can a cyber war achieve the goal of a nation's surrender by crippling its energy supplies and delivery? Maybe, but it's not likely. It is far more likely that this kind of attack would be leveraged in a troop-based military assault. Funny thing though, even though much of the nation's energy grids are pushing to be inter-connected, at least today, you would still have to do a lot of manual work. Most of these systems aren't Internet-accessible so infiltrating them requires much more than pasting your nation's flag on their search engine's homepage ... idiots.

Food | The nation's food supply is a key ingredient to its health. Ask anyone who's watching people starve to death in Africa or elsewhere... there is no order when your inhabitants are dying of starvation. It's hard to envision such a situation in the United States because we're such a huge exporter of food stuffs to the rest of the world - but elsewhere it could work. The problem with this, of course, is how to you use packets streaming through the Internet to destroy food supplies? Some possible ways are messing with food-transport and causing delays, mis-routes, etc which could lead to spoiled food. Infiltrating food-production networks isn't fruitful because many of these networks operate on the old conveyor belt methods, and it's not like the cheese-plant in Wisconsin is going to be hacked into and all of the sudden produce deadly cheese ... at least I would hope not. Thinking sanely the food avenue seems to fall out of the pictures for many reasons but the biggest is that food is such a physical endeavor from growing, to processing, to transport, to sale.

After all that, the most likely target is the nation's financial resources. So this isn't really war then, as much as it is just plain hacking. Or do we call it war because it's state-sponsored? Think about it, before you throw around the term cyber war loosely next time. Does the PDF 0-day hack being exploited by the Chinese hackers to steal your passwords really constitute an act of war? What about GhostNet? Was GhostNet an act of cyber war?

I would agree that some of the things going on lately, including the discovery of GhostNet (originating from that cesspool we call China) may be hostile nation-sanctioned attacks and state-sponsored espionage but this in itself is not cyber warfare folks. If you look up the definition of war:

"War is a behavior pattern exhibited by many primate species including man, and also found in manyant species. The primary feature of this behavior pattern is a certain state of organized violent conflict that is engaged in between two or more separate social entities. Such a conflict is quite often an attempt to resolve a dispute over various commodities such as territory, resources, or other material advantages. Such disputed commodities are usually perceived by the parties engaged in the conflict as being available only in a limited or insufficient supply. In addition to the violent and obvious physical goals of securing various material advantages that war agendas often include, war agendas often also include certain more subtle, yet often more compelling, psychological goals of attempting to alter or reaffirm previous relationships of social domination/ submission/ or equality between two or more social entities" (Wikipedia ref)

...you will realize that hacking... while destructive, is not war. Cyber attacks are a component of, but not in themselves, war. War is hell, hacking (in mainstream context) is a nuisance.

2 comments:

1. I think the term cyberwar is mostly used by people who don't have a clue about what is really going on. 'Cloud' also fits in this category (yes, I went there).

2. The examples of cyberwar you mention mostly target civilians. You can use conventional, physical attacks to disrupt financial, energy and food networks just as easily as computers. But a nation attacking another nation's civilian infrastructure is generally frowned upon in the international community and certainly doesn't help to win over people's hearts and minds. (Note: since terrorist's goals are different and they don't report to their respective nations or the international community, these tactics are acceptable for them).

3. Tangent- but have we really become so enamored with money and wealth that disrupting financial services would cause us to descend into chaos? If so, I feel our values are grossly misplaced and that's a pretty sad state of affairs, no matter how you look at it.

4. 'cesspool we call China'? What's with the name calling? Not every Chinese person is using computers to attack other countries.

I think cyberwar is going to happen in much more subtle ways and not be a complete doomsday scenario like many are predicting. A good example, I believe I heard it on a Pauldotcom podcast, is the UAV drones video feeds being viewed using satellite dishes and $26 software. Our use of technology (UAVs) opened up a new type of attack - intercepting the video feeds. But this is just your typical cat-and-mouse game that has been going on with military strategies throughout the ages. Once we learn how to use computers to enhance our military capabilities, someone else is going to try to find a way to use computers to turn that around to their advantage. Computers and tech add another element to the battlefield, just like the invention of the airplane did. But for some reason we seem to get frightened by new things we don't understand, even tho after awhile they will become 'ordinary tools' just like fighter jets are today.

1) I agree with you on the 'cloud' thing... been saying it since people started talking about it.

2) These really aren't attacks against civilians - rather an attack against a nation. The mistake I think people that talk about this thing are making is for some reason they think "war" will be contained within the military (from both sides). That's ridiculous!

3)It's not just being enamored with money - it's being that our entire society is based on money. Can you imagine the systemic break-down of the financial markets inside the US? That kind of adverse attack would bring financial ruin and quickly create untold chaos.

4) Just like Wanadoo.fr many years ago, many networks already filter (read: block) routes to and from China ... so yes I think I am making it an accurate statement when I say "cesspool". It's not a pretty picture over there, and no one seems to care.

I do agree that things will likely kick off more subtly in the "cyber" world - as this medium lends itself easily to this kind of attack. Attacks over the Internet ("cyber") will likely be psychological in nature more so than an RPG fired at a building... make sense?

About Me

Technology is pushing us along and becoming pervasive in our lives orders of magnitude faster than we can fully comprehend the ramifications of these changes.

Technology promises to change our lives, but at what price? The more heavily our daily lives rely on technology the greater the impact of a breach or a malicious attack. Our toasters can't kill us ... yet, but I suspect the day is coming.

As someone who has been involved in the defensive enterprise side of security for well over a decade, I emplore you to join me and focus our efforts on building better, more resilient systems which can not only support and enrich our lives, but also stand up to misuse and attack better.

Remember, prevention is a myth the snakeoil sales man sells. Real security comes from the ability to detect, respond, and resolve critical issues in a meaningful way.